A Hull man has been given a suspended sentence for looking at hundreds of women's medical records.
Dale Trever, 22, was working for Hull Primary Care Trust as a "care data quality facilitator" when he accessed medical records of 413 female patients. The court was told he accessed records 597 times.
He started his snooping …

No...

I can't speak from the point of view of Police or Online Shopping, but Banks (In the EU, at least) are very sensitive to this sort of thing. It may even now be a regulatory requirement, but there was a wake-up call when someone at Vodafone downloaded all of David Beckham's text messages and sold them to some tabloid.

The bank that I work at has systems that detect if people's accounts are looked at and no work is actually carried out.

who does what with who's medical record has to be logged

He didn't have to look at very many records he had no reason to view before the logs left behind of his illegal access caught up with him. And of course validity of these logs all depends upon cutbacks not cheapening systems to the point where it becomes feasible and routine for NHS person A to authenticate using NHS person B's credentials.

Re: I bet this isn't rare

When I was doing desktop support at a BT call centre in Dundee, some customer service droid checked out Thomas Hamilton's account after the Dunblane Massacre. Later that day he was marched off the office floor (and then out of the building some time afterwards) by three spooky-looking suits assisted by two of her majesty's finest. Rumour had it that the suits actually flew up from Oswestry.

It was also routine for the droids to receive calls from security goons immediately after having legitimately viewed/amended a high profile person's account. Your average BT account holder scum seemed to be fair game though.

Wasn't this expected, predicted?

"The court was told he accessed records 597 times..........Trever pleaded guilty to seven counts of breaking the Computer Misuse Act"

Why wasn't this 579 counts of breaking the Act? Why did it take an on-the-ball' practice manager to 'suspect' this, instead of in-built warning systems to detect it?

Have the people who medical records have been browsed my this sad idiot been told that their data privacy has been breached and been advised of steps they can take to bring action against the idiot or the NHS? I doubt it. The only thing we can be sure of is that any Government organisation will totally foul-up any data protection obligations they have.

Why?

"Why did it take an on-the-ball' practice manager to 'suspect' this, instead of in-built warning systems to detect it?"

Because it was built by the company that tendered the cheapest quote, meaning that to meet the budget and deadlines, as well as to speed up the system so it only took 2 minutes to login to, the security module was reduced to a user name and password stored in plane text in the system database.

The database was of course a MSSQL server with the default admin password open to anyone with a PC on the 'trusted' medical network.

What, like assault someone, or read some records?

At least the Police have a policy in place

They randomly pick PNC's checks and ask you to justify your reasons for requesting it. I gave a fixed penalty to a car on my street (it was blocking the road) and needed a PNC check to see if I could locate the owner first. Within a day I had a letter asking to prove this was legitimate check.

Seems harsh

The offence should be committed when someone *acts on* information they were not supposed to have known (including passing it on to a third party), not when they merely discover it. At least credit people with a bit of discretion, FCOL.

I guess they did

Not to sane people it doesn't

"The offence should be committed when someone *acts on* information they were not supposed to have known"

No, the offence is clearly defined (why do I have to keep repeating this every time a CMA story comes along) by S1 of the CMA. You don't get to break the law and then say "no harm, no foul", it doesn't - and shouldn't - work like that.

For the hard of thinking, the offence was not "looking at the data", but breaching the CMA in getting access to the data to look at in the first place, m'kay ?

I khow what the law says

If someone finds out something that wasn't specifically volunteered to them, but manages to keep quiet about it anyway, then I really don't see the harm in that.

Of course, knowing something that you weren't supposed to know can sometimes create interesting situations (such as knowing that the gas fire in the holiday cottage where you have been sleeping with your mistress has been chuffing out CO, but not being able to warn your wife about it before she takes the kids there for a surprise holiday for fear of your affair being discovered) but they are the exception, and should be dealt with on a case-by-case basis.

It's not so much that other people know things about you that you'd rather they didn't, as that you know they know those things.

Oh Cool

So now theres proof that you can whip through those huge databases that UK poli's have been saying are "Absolutely Secure", collect whatever information you want, and then just walk off the charge by saying you were curious.

Good job I don't live in Hull

Another reason why ...

centralised health records are dangerous. Centralised anything in fact, and amalgamated multiple databases are even worse.

Patients can easily be given a memory fob on which all their medical data is stored and handed over for perusal or updating by a doctor. Prescriptions could also be entered and the chemist/pharmacist would have limited read/write rights so no no duplicate prescriptions can be issued without authority.

It will stop double-doctoring, too, no dongle - no service except in emergency.

I attended a hospital in Toronto for around 7 months and my electronic record, including X-rays was around 5 megabytes - which was copied, at my request, to my dongle.

This is what happens

When you restrict people's internet access at lunchtimes. They have nothing better to do, and can't look on spacebook, so they idly flick through random women's medical records. If they'd have let him browse porn at luncthime, there'd be no problem.

We used to call them

clever trever

not new

I was "let go" from a job for looking up a email-friend-but-also-customer's phone number on the computer, and she complained ..... 22 years ago, and we got married soon after..!

Slightly more recently ... somewhere in a different ex-employers email archives might yet still be several complete copies of GP medical systems that I worked on, doing a data-conversion between systems. Wonder if the DPO should ask them..

Several people...

...mentioning the (bloody awful) summary care records system here. And it does, indeed, have its issues and I must get around to opting out of it, however this doesn't necessarily mean that he used the summary cockup system to get the info. It could have come from whichever local patient management system was being used.

Or did the article mention that he used the SPINE/whatever they're calling it this week to get the info? (Apologies to all if it did, but it's well on the way to beer o' clock here and I'm tired...)

Sorry, no. Not even in jest.

I am a professional. In 20 years of dealing with email systems, personnel databases, payroll systems, whatever, I have *never* looked at any data without first seeking authorisation and having a damn good reason for doing so.

Anyone who thinks the data is there for their personal amusement should on no account be allowed access to any systems, of any sort.

NHS dont care about your data

A hospital near me closed in 1985 and stood derilict until 2006, after exploring it thoroughly (boys will be boys) we found a room filled with filing cabinets containing people's medical records. As far as I know they remained there until the day the building was razed.

It doesn't matter how your data is stored, if the organisation storing it isn't particularly interested in keeping it safe, then it won't be safe.